You're on your way to the next level! Join the Kudos program to earn points and save your progress.
Level 1: Seed
25 / 150 points
1 badge earned
Challenges come and go, but your rewards stay with you. Do more to earn more!
What goes around comes around! Share the love by gifting kudos to your peers.
Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!
Join now to unlock these features and more
We've found an issue with Bitbucket cloud, where any user with write permissions has the ability to export the runtime secrets, including workspace / repository / deployment secrets, to an artifact. Like so:
1. A user with write access creates a new branch from the main branch.
2. That user then modifies the bitbucket-pipelines.yml file, and adds a step similar to this:
- printenv | tee output.txt
3. Then that user can push the changes, and within that branch execute the step, and download the artifact, revealing all of the secrets.
How do you prevent this kind of leakage?
We mention this in our documentation here:
Workspace variables can be accessed by all users with write permission for any repository (private or public) that belongs to the team or account.
Pipelines variables added at the repository level can be used by any user who has write access in the repository.
There is no way to prevent this for workspace and repository variables. However, it is possible to restrict access to deployment variables to admins only:
If your workspace is on the Premium plan, you can enable this option for certain or all deployment environments. If someone who is not an admin triggers a pipeline to an environment that has this feature enabled, the build will get paused.
An admin of the repo can resume a paused build or do nothing. Selecting the cog icon from the following screenshot in the paused build, will show you the yml file for the commit/branch that triggered the pipeline: